refactor: add encrypted detailed files

[vjousse]

🔧 Problem

In order not to make public the Ecoinvent data containing detailed processes impacts, this data is stored in a private repository on Github https://github.com/MTES-MCT/ecobalyse-private, so it is not included with the source code of the Ecobalyse application, even though it is necessary for its proper functioning. This frequently leads to technical problems when putting features into production, as it is very complicated to keep data synchronized between the two repositories.

🍰 Solution

Re-store detailed processes in the main repository, but encrypt them using git encryption with the help of https://github.com/elasticdog/transcrypt

🚨 Points to watch/comments

The warning *** WARNING : deprecated key derivation used. on the ci is ok for now, see elasticdog/transcrypt#169

As Scalingo doesn't give access to the git repo I need to git clone it when deploying to Scalingo. The I can run transcrypt to decrypt the files and copy them over.

We don't synchronize with ecobalyse-private anymore. To add new detailed files they will just need to be added to a commit in the main repo. You can see the diffs locally but not on Github anymore as the files are encrypted.

🏝️ How to test

Depending on your OS, install trancrypt dependencies listed on https://github.com/elasticdog/transcrypt/blob/main/INSTALL.md. Get the trancrypt key in https://vaultwarden.incubateur.net/. If you don't have access to the Vault, you should ask for one.
You can check that files are encrypted by running:

cat public/data/textile/processes_impacts.json

In should give you some cryptic content.

Then init your repo with transcrypt using the following command (you will need to do it only once for all):

./bin/transcrypt -c aes-256-cbc -p 'transcrypt_key'

The processes should then be decrypted and you should be able to read them directly with:

cat public/data/textile/processes_impacts.json

Try to change some detailed files and check that you can commit the changes in this branch without any problem (you can change the objects one).

[n1k0]

Tested the patch and the decryption/encryption/git workflow, it works great 😄 A few question, nits and remarks and we're good to go 👍

[n1k0]

Nit: does the .builpacks format accept comments? would be nice adding a line about why each is used

Also: is the ssh-private-key-buildpack one still necessary?

[n1k0]

I have something in my eye 🥲

[n1k0]

transcrypt requirement & installation should rather be mentioned in the "Socle technique et prérequis" at the top of the file. Also, see my other comment about why we do need this while we have a local version of it at hand in the repo?

[n1k0]

Shouldn't we rather use en env var for that? Also, shouldn't this be part of the npm commands, eg. npm postinstall and friends, so that npm test works directly?

[n1k0]

Here we're losing the ability the possibility to have diffs entirely on github… may not be part of this patch but I could totally see some utility able to generate a JSON diff with the previous version of the file, at least locally…

[n1k0]

Oh my, this means we'll have to maintain old versions using hacks and bash scripts forever… we should start discussing deprecating and dropping support for older versions (maybe file a card for that)

[n1k0]

This script is way to large and complex to review for me, and I suppose this is just a local versioning of the transcrypt library in this repo, because Scalingo does not allow installing it as a dependency for some reason. So as we have a local version of it in the repo, why do we still need to install transcrypt from package managers locally on devs machines? Can't we just always use this one?